The disclosure relates to computer systems and, more particularly, to systems and methods for authenticating users in secure computer systems.
Computer networks, including the Internet, facilitate the transmission of confidential data between computers at physically and geographically remote locations. An area where such confidential data transmission may occur is electronic commerce and, more particularly, electronic banking. Electronic commerce over computer networks may require that a computer system storing confidential information at one location make that information available to a remote user at another location over an unsecured network. In order to minimize the likelihood of an unauthorized user gaining access to such confidential information, it may be necessary for such computer systems to require a remote computer user to authenticate himself or herself in order to access confidential information. Such authentication procedures may include the use of alpha-numeric serial numbers and passwords. The serial number and password may be provided by the remote user or stored on the computer used by the remote user and transmitted over the network to the computer system maintaining the confidential information. The computer system may then match that serial number and password with stored serial numbers and passwords corresponding to that user in order to gain access to the confidential information pertaining to that user.
In the field of electronic banking, the Federal Financial Institutions Examination Counsel (FFIEC) has issued guidelines that regulators expect banks to use when authenticating the identity of bank customers using online products and services. The FFIEC considers single-factor authentication (for example, a user identification number and password) to be inadequate for high-risk transactions, such as those involving access to customer information or the movement of customer funds. Accordingly, banks have developed user authentication methodologies using multiple and different authentication criteria. For example, such criteria could compromise something the user knows (a user identification number and password), something the user has (a token, secure browser cookie, or flash local shared object) and something the user is (voiceprint, fingerprint or facial recognition). However, a disadvantage of such methodologies is that the first criteria may be stored elsewhere and therefore vulnerable to unauthorized access, the second criteria may be subject to misappropriation, and third criteria may require the user to purchase implement costly computer components or peripherals to create and transmit the digitized biometric data. Accordingly, there is a need for a user authentication process and system that may involve multiple factors but does not require additional computer components, such as fingerprint scanners, retinal scanners or voice recognition software.